Privacy

A 14-Year-Old Asks: When Should I Get a VPN? 123

"One of my students sent me this letter," writes Slashdot reader Hasaf. "I have a good idea how I will answer, but I wanted to put it before the Slashdot community." The letter reads: Right now I am 14 years old, I was wondering when I should get a VPN... I was thinking about getting the yearly deal. But right now I really have no need for a VPN at the moment. I was thinking of getting a VPN when I'm in 11th grade or maybe in college. What do you think?
Of course, the larger question is what factors go into deciding whether your need to be using a VPN. So leave your best answers in the comments. When should you get your first VPN?
Advertising

For Under $1,000, Mobile Ads Can Track Your Location (mashable.com) 43

"Researchers were able to use GPS data from an ad network to track a user to their actual location, and trace movements through town," writes phantomfive. Mashable reports: The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been... It's a surprisingly simple technique, and the researchers say you can pull it off for "$1,000 or less." The relatively low cost means that digitally tracking a target in this manner isn't just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well... Refusing to click on the popups isn't enough, as the person being surveilled doesn't need to do so for this to work -- simply being served the advertisements is all it takes.
It's "an industry-wide issue," according to the researchers, while Mashable labels it "digital surveillance, made available to any and all with money on hand, brought to the masses by your friendly neighborhood Silicon Valley disrupters."
Media

Body Camera Giant Wants Police To Collect Your Videos Too (fastcompany.com) 58

tedlistens shares a report from Fast Company: Axon, the police supplier formerly known as Taser and now a leading maker of police body cameras, has also charged into police software with a service that allows police to manage and eventually analyze increasingly large caches of video, like a Dropbox for cops. Now it wants to add the public's video to the mix. An online tool called Citizen, set to launch later this year, will allow police to solicit the public for photos or video in the aftermath of suspected crimes and ingest them into Axon's online data platform. Todd Basche, Axon's executive vice president for worldwide products, said the tool was designed after the company conducted surveys of police customers and the public and found that potentially valuable evidence was not being collected. "They all pointed us to the need to collect evidence that's out there in the community."

[But] systems like Citizen still raise new privacy and policy questions, and could test the limits of already brittle police-community relations. Would Citizen, for instance, also be useful for gathering civilian evidence of incidents of police misconduct or brutality? [And how would ingesting citizen video into online police databases, like Axon's Evidence.com, allow police to mine it later for suspicious activity, in a sort of dragnet fashion?] "It all depends," says one observer, "on how agencies use the tool."

Privacy

Smartwatches For Kids Are a Total Privacy Nightmare (gizmodo.com) 35

An anonymous reader shares a report: Kids' smartwatches are usually intended to help parents feel at ease that their children are safe when they're not around. But as it turns out, a number of these devices may do more harm than good. A 49-page report on smartwatches for children details all the ways in which they are a security nightmare. The report (PDF), conducted by the Norwegian Consumer Council (NCC) and European security firm Mnemonic, analyzed four kids' smartwatches -- Gator 2, Tinitell, Viksfjord, and Xplora. According the NCC's report, two of the aforementioned devices were vulnerable to hackers, affording them the ability to remotely control the apps on the device. Through a breached device, the NCC says a hacker could access information on a child's whereabouts in real-time, uncover their personal information, and even communicate with the child. What's more, one of the devices could allow someone "with some technical knowledge" to discreetly listen to the child's surroundings. Beyond these gross invasions of privacy, the Council said certain key features of these devices -- an SOS button and a feature that alerts parents when kids leave virtual boundaries -- were unreliable. The report also notes issues regarding collecting user data -- only one of the product's terms and services allowed parents to opt in to or out of data collection. And one watch, the Xplora app, gave up children's data to marketers, the NCC said.
EU

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 81

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
Security

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 158

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Government

'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS (thehill.com) 105

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Google

Toronto To Be Home To Google Parent's Biggest Smart City Project Yet (techcrunch.com) 54

Sidewalk Labs, the smart city subsidiary of Alphabet (the parent company of Google) with the stated goal of "reimagining cities from the Internet up," now has a very big sandbox in which to conduct its high-tech experiments. From a report: That's obviously an ambitious project, but some of the groundwork is already being laid: Alphabet's Google will be the flagship tenant for the new neighbourhood, anchoring the easter waterfront, to be called "Quayside," and Sidewalk Labs has committed $50 million to kick off pilot testing and planning in partnership with the City of Toronto. Sidewalk Labs won the contract through its response to a Request for Proposals issues by Waterfront Toronto, and organization created by the Canadian federal government, the Ontario provincial government and the City of Toronto together to foster development of Toronto's lakefront areas in ways that address urban sprawl while respecting the realities of climate change and taking into account the ability of the city's residents to get around efficiently. The area involved in the RFP that Sidewalk Labs will work with the government coalition to develop spans around 800 acres (though 12 acres are specified for the initial project), and is one of the largest underdeveloped urban areas in any North American city, making it a good target for Sidewalk's ambitious vision, which involves building smart cities holistically from the very start. Ultimately, the partners hope to turn the area into a "place for tens of thousands of people to live, work, learn and play -- and to create and advance new ideas that improve city life," according to a release from Sidewalk.
Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 197

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 135

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 420

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?
Google

Google Chrome for Windows Gets Basic Antivirus Features (betanews.com) 55

Google is rolling out a trio of important changes to Chrome for Windows users. From a report: At the heart of these changes is Chrome Cleanup. This feature detects unwanted software that might be bundled with downloads, and provides help with removing it. Google's Philippe Rivard explains that Chrome now has built-in hijack detection which should be able to detect when user settings are changes without consent. This is a setting that has already rolled out to users, and Google says that millions of users have already been protected against unwanted setting changes such as having their search engine altered. But it's the Chrome Cleanup tool that Google is particularly keen to highlight. A redesigned interface makes it easier to use and to see what unwanted software has been detected and singled out for removal.
Security

Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw (arstechnica.com) 55

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.
Microsoft

US Supreme Court To Decide Microsoft Email Privacy Dispute (reuters.com) 69

The U.S. Supreme Court on Monday agreed to resolve a major privacy dispute between the Justice Department and Microsoft Corp over whether prosecutors should get access to emails stored on company servers overseas. From a report: The justices will hear the Trump administration's appeal of a lower court's ruling last year preventing federal prosecutors from obtaining emails stored in Microsoft computer servers in Dublin, Ireland in a drug trafficking investigation. That decision by the New York-based 2nd U.S. Court of Appeals marked a victory for privacy advocates and technology companies that increasingly offer cloud computing services in which data is stored remotely. Microsoft, which has 100 data centers in 40 countries, was the first U.S. company to challenge a domestic search warrant seeking data held outside the country. There have been several similar challenges, most brought by Google.
Security

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (zdnet.com) 257

A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack. From a report: The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network. That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream. In other words: hackers can eavesdrop on your network traffic. The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices -- putting every supported device at risk. "If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website. News of the vulnerability was later confirmed on Monday by US Homeland Security's cyber-emergency unit US-CERT, which about two months ago had confidentially warned vendors and experts of the bug, ZDNet has learned.
Government

Ask Slashdot: Should Users Uninstall Kaspersky's Antivirus Software? (slashdot.org) 308

First, here's the opinion of two former NSA cybersecurity analysts (via Consumer Reports): "It's a big deal," says Blake Darche, a former NSA cybersecurity analyst and the founder of the cybersecurity firm Area 1. "For any consumers or small businesses that are concerned about privacy or have sensitive information, I wouldn't recommend running Kaspersky." By its very nature antivirus software is an appealing tool for hackers who want to access remote computers, security experts say. Such software is designed to scan a computer comprehensively as it searches for malware, then send regular reports back to a company server. "One of the things people don't realize, by installing that tool you give [the software manufacturer] the right to pull any information that might be interesting," says Chris O'Rourke, another former NSA cybersecurity expert who is the CEO of cybersecurity firm Soteria.
But for that reason, Bloomberg View columnist Leonid Bershidsky suggests any anti-virus software will be targetted by nation-state actors, and argues that for most users, "non-state criminal threats are worse. That's why Interpol this week signed a new information-sharing agreement with Kaspersky despite all the revelations in the U.S. media: The international police cooperation organization deals mainly with non-state actors, including profit-seeking hackers, rather than with the warring intelligence services."

And long-time Slashdot reader freddieb is a loyal Kaspersky user who is wondering what to do, calling the software "very effective and non-intrusive." And in addition, "Numerous recent hacks have gotten my data (Equifax, and others) so I expect I have nothing else to fear except ransomware."

Share your own informed opinions in the comments. Should users uninstall Kaspersky's antivirus software?
Crime

Dutch Police Build a Pokemon Go-Style App For Hunting Wanted Criminals (csoonline.com) 62

"How can the police induce citizens to help investigate crime? By trying to make it 'cool' and turning it into a game that awards points for hits," reports CSO. mrwireless writes: Through their 'police of the future' innovation initiative, and inspired by Pokemon Go, the Dutch police are building an app where you can score points by photographing the license plates of stolen cars. When a car is reported stolen the app will notify people in the neighbourhood, and then the game is on! Privacy activists are worried this creates a whole new relationship with the police, as a deputization of citizens blurs boundaries, and institutionalizes 'coveillance' -- citizens spying on citizens. It could be a slippery slope to situations that more resemble the Stasi regime's, which famously used this form of neighborly surveillance as its preferred method of control.
CSO cites Spiegel Online's description of the unofficial 189,000 Stasi informants as "totally normal citizens of East Germany who betrayed others: neighbors reporting on neighbors, schoolchildren informing on classmates, university students passing along information on other students, managers spying on employees and Communist bosses denouncing party members."

The Dutch police are also building another app that allows citizens to search for missing persons.
Privacy

Dutch Privacy Regulator Says Windows 10 Breaks the Law (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law. To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn't always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection -- though this language still wasn't explicit about what was collected and why -- and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen. In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10's "Basic" telemetry setting. However, the company has not done so for the "Full" option, and the Full option remains the default. The DPA's complaint doesn't call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to "end all violations," but if the software company fails to do so, it faces sanctions.
Data Storage

Researcher Turns HDD Into Rudimentary Microphone (bleepingcomputer.com) 65

An anonymous reader writes from Bleeping Computer: Speaking at a security conference, researcher Alfredo Ortega has revealed that you can use your hard disk drive (HDD) as a rudimentary microphone to pick up nearby sounds. This is possible because of how hard drives are designed to work. Sounds or nearby vibrations are nothing more than mechanical waves that cause HDD platters to vibrate. By design, a hard drive cannot read or write information to an HDD platter that moves under vibrations, so the hard drive must wait for the oscillation to stop before carrying out any actions. Because modern operating systems come with utilities that measure HDD operations up to nanosecond accuracy, Ortega realized that he could use these tools to measure delays in HDD operations. The longer the delay, the louder the sound or the intense the vibration that causes it. These read-write delays allowed the researcher to reconstruct sound or vibration waves picked up by the HDD platters. A video demo is here.

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable." Furthermore, the researcher also used sound to attack hard drives. Ortega played a 130Hz tone to make an HDD stop responding to commands. "The Linux kernel disconnected it entirely after 120 seconds," he said. There's a video of this demo on YouTube.

Google

Google Permanently Disables Touch Function On All Home Minis Due To Privacy Concerns (bbc.co.uk) 48

Big Hairy Ian shares a report from BBC: Google has stopped its Home Mini speakers responding when users touch them. It permanently turned off the touch activation feature after it found that sensors primed to spot a finger tap were too sensitive. Early users found that the touch sensors were registering "phantom" touches that turned them on. This meant the speakers were recording everything around them thousands of times a day. Google said it disabled the feature to give users "peace of mind." Google's Home Mini gadgets were unveiled on October 4th as part of a revamp of its line of smart speakers. The intelligent assistant feature on it could be activated two ways -- by either saying "OK, Google" or by tapping the surface. About 4,000 Google Home Mini units were distributed to early reviewers and those who attended Google's most recent launch event. Artem Russakovskii from Android Police first discovered the issue with his unit, ultimately causing Google to "permanently [nerf] all Home Minis" because his spied on everything he said 24/7.

Slashdot Top Deals